Keeping up with PCI hasn't improved much: Verizon

Businesses aren't getting much better at meeting payment card industry (PCI) standards year-to-year, perhaps because they get cocky about passing one year and figure they will breeze through the next, according to a study by Verizon PCI and Risk Intelligence teams.

Businesses aren't getting much better at meeting payment card industry (PCI) standards year-to-year, perhaps because they get cocky about passing one year and figure they will breeze through the next, according to a study by Verizon PCI and Risk Intelligence teams.

The 2011 study found that initially, 79% of businesses assessed failed compliance, with 21% of those who failed being between 90% and 99% compliant.

These results are about the same as last year, and the percentages haven't improved, in part, because businesses are overconfident. They feel that the process was painful, but having passed, the following year should be easy. "That can be a costly mistake," the report says.

The report was compiled using data gathered by Verizon security assessors and Verizon's investigative teams that check out payment-card data breaches. Businesses were dealing with PCI 1.2. the current version is 2.0.

Of the companies that failed on the initial report, on average they met 78% of the compliance requirements.

The study took a look, one-by-one, at how well businesses did complying with each of the 12 PCI requirements during the initial report. They did best at restricting access to data on a need-to-know basis, with 75% compliance initially. A close second with 72% went to encrypting sensitive data across public networks. Using and updating antivirus software was third at 64%.

Businesses did worst at regularly testing security systems and processes with a score of 37%. Coming in second was maintaining an information security policy at 39%, and third was protecting stored data at 42%.

The study also considered compliance requirement-by-requirement in organizations being assessed after a data breach. Only 19% of those suffering a data breach met requirements for regularly testing security systems and processes and for maintaining an information security policy. Only 21% complied with protecting stored data. The requirement that was met least by breached companies was tracking and monitoring access to network resources and cardholder data at 11%.

The top four successful threat actions that resulted in data breaches were sending data to external sites, backdoors allowing remote access or control, exploiting guessable credentials and exploiting backdoor or command-and-control channels.

Real world demands and fatigue can get in the way of compliance, the study says. "When faced with the choice of where to place their energies, many people will choose to just get things done rather than worrying about the 'right way' or the 'compliant way,'"the study says. "The organization might take notice of PCI while the QSA is on-site, but afterwards allow a significant portion of the necessary practices to erode over time."

Fully staffed security departments are a rarity, and security in general is still viewed in some organizations as a drag on business rather than an accepted part of dealing with risk. "Too few companies have a manager or director in charge of compliance efforts, and lack an informed sponsor at the senior or executive level within the corporation to provide support and guidance for projects," the study says.

Making things more difficult, PCI is a moving target that gets tougher year by year. In addition to new versions of the standards, clarifications about existing standards mean narrowing interpretations of the rules and redefining what is acceptable. So what met requirements one year might not the next. "This will become increasingly true as the PCI DSS 2.0 requirements are used for all assessments starting in January 2012," according to the report.

Some suggestions for success:

= Chose a champion with clout.

= Beware self-evaluations because the individual involved may be conflicted and ill-qualified.

= Don't procrastinate on required testing. Leave time for remediation.